GDPR/The Canadian Privacy Act and Ok Alone

From the 18th of May 2018 all countries in the European Union had to abide by the new General Data Protection Regulation (GDPR). This was approved by the European Parliament and Council and replaced the Data Protection Directive 95/46/ec.  These regulations apply to everyone from small businesses to large enterprises handling personal data within the EU. GDPR also applies to anyone outside the EU who handles personal data of an EU resident. 

Union Wide Uniformity and Personal Data

The reason for the GDPR is to make sure there are uniform data security laws across all EU members. This means countries no longer have to write their own laws and ensures all laws are the same across the union. To read the full document click this link https://gdpr-info.eu/

The regulations were brought in to protect people’s personal data when they are online. The GDPR covers data collected about someone that could be used to identify them, this could include:

  • Names
  • Social Media Posts
  • Email Addresses
  • IP Addresses
  • Photos
  • Personal Medical Information
  • Phone Numbers
  • Date of Birth
  • Bank Details
  • Passport Number

Any data that could be used to identify an individual, either a single piece, like a name, or many small pieces that add up to identify an individual need to be safeguarded.

GDPR Principles

There are seven principles of GDPR which are laid out in Article 5: ¹

  • Lawfulness, Fairness and Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity And Confidentiality (Security)
  • Accountability 

The only principle that was not included in previous regulations is ‘accountability’. This means companies need to prove they are compliant with the regulations, are documenting how their data is protected and that only people who need access to information can access it.

Brexit Impact

As the UK is leaving the European Union, it has introduced the UK GDPR to work alongside the Data Protection Act 2018 (DPA). The UK GDPR maintains the data protection standards of the GDPR and the same extraterritorial scope. Therefore, companies based outside the EEA who process UK resident’s data for the purposes of providing goods or services will have to comply with the standards set out in the UK GDPR. Any necessary decisions on the GDPR previously decided by the European Commission, will be transferred to the Secretary of State and/or the Information Commissioner. ²

GDPR/The Canadian Privacy Act and Ok Alone

Trusty Ox Systems Ltd, a Canadian Controlled Private Company which delivers the Ok Alone service and who is the data processor, has written its privacy policy to comply with the GDPR in the EU and UK and the Canadian Privacy Act.  In particular, Ok Alone uses personal data for the legitimate interest of providing its services, which is in line with GDPR, Article 5, point B ‘Personal data shall be: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); ³

You may review the full privacy policy here – https://www.okaloneworker.com/work-alone-monitoring-privacy

The Data flow process and Data Storage

The servers used by Ok Alone are located in Canada and are subject to PIPEDA (Personal Information Protection and Electronic Documents Act). This ensures all data received from customers is kept securely.

Data Sharing

Ok Alone does not share any data or information with other companies. In addition to the primary purposes, we are also legally obliged to share certain data with other public bodies and will do so where the law requires this; we will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate.

Data Access Information

Ok Alone takes data privacy very seriously, making sure internal access to customer’s personal data is on a need to know basis.  All users with access to personal data have individual logins and standard industry security practices are maintained.

Ok Alone customers also have a great deal of control over which people internally see personal data.  There are three levels of user access rights for the Monitors, each of which grants different access to personal data. Workers do not have access personal data. All interaction between Workers and the system occurs through an encrypted connection with the app. Combined, this ensures people’s data stays private.

User Rights

Each person has the right to request deletion, updating, correction, or the full record of their data.  To enable this, each Admin Monitor can add, edit, update and delete Worker’s personal information in the system.  In the event that there is a particular element of data the Monitor cannot edit, update or delete, they can also email us at [email protected] to request data is removed from our systems.

Subprocessors

GDPR requires processors to inform clients of any subprocessors they may have contact with. Here is a list of all subprocessors that Ok Alone is engaged with.

  • Amazon Web Services
  • Azure – Microsoft Corporation
  • Twilio
  • AgileCRM
  • Google LLC
  • Catalyst2
  • Linode
  • Bambora
  • PayPal

1 – https://gdpr-info.eu/art-5-gdpr/

2- Item 2.14 https://www.legislation.gov.uk/uksi/2019/419/pdfs/uksiem_20190419_en.pdf

3 – https://gdpr-info.eu/art-5-gdpr/